On Tue, Aug 03, 2021 at 01:23:32PM -0400, John Levine wrote:
> >https://nakedsecurity.sophos.com/2021/06/11/alpaca-the-wacky-tls-security-vulnerability-with-a-funky-name/
>
> Just wondering, did you add the anti-http stuff because of ALPACA or was it
> already there?
Postfix is written *defensively*, so it terminates connections from
browsers sending SMTP commands and payload as a single HTTP request,
by detecting HTTP verbs and request headers.
These are defenses to protect SMTP servers from abused HTTP clients,
that fortuitously also work to protct HTTP clients from abusable SMTP
servers (that share certificates with HTTP servers, ...).
The defenses have been in place for quite some time.
Likewise, Postfix had detection of NUL bytes in certificate names, long
before Moxie exploited some CA to obtain a cert for "*\0.some.dom.ain",
and requires at least two labels after the "*" (no "*" or "*.tld" certs
were accepted).
Now that (a decade plus later) functionally equivalent checks have also
been in OpenSSL (1.0.2 and later) for some time, Postfix 3.6 (for now
the most recent stable release) finally delegates certificate name
checks to OpenSSL (and requres OpenSSL >= 1.1.1).
So while we don't always anticipate all future security issues, we have
a reasonable track record of being ready when they happen.
--
Viktor.
